Customer Token Generated on Website A Can Be Used on Website B in Website-Scoped Customer Configuration

[bashizee]

Preconditions and environment

Issue Description

We have a Magento instance configured with website-scoped customers (customer/account_share/scope = 1).

When a customer logs in on Website A using the GraphQL mutation:
mutation { generateCustomerToken( email: "customer@example.com" password: "password" ) { token } }
However, we observed that the same token can be used to authenticate GraphQL requests against Website B, even though customers are configured to be website-scoped.

Steps to reproduce

Steps to Reproduce
1. Configure Magento with website-scoped customers.
2. Log in to Website A using generateCustomerToken.
3. Obtain the customer token.
4. Send a GraphQL request to Website B using: Authorization: Bearer <token_from_website_A>

Expected result

When customer accounts are website-scoped, a customer token generated for Website A should only be valid for the customer account belonging to Website A. The token should not authenticate requests against a different website that has a separate customer scope.

Actual result

A token generated on Website A can be reused successfully on Website B, allowing authentication across websites despite website-scoped customer configuration.

Additional information

No response

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @bashizee. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/AC-17299 is successfully created for this GitHub issue.

[engcom-Bravo]

Hi @bashizee,

Thanks for your reporting and collaboration.

We have tried to reproduce the issue in Latest 2.4-develop instance and we are able to reproduce the issue.Please refer the screenshot.

same token can be used to authenticate GraphQL requests against Website B.Hence Confirming the issue.

Thanks.